Lucene search

CERTVU:139129

HistoryApr 16, 2003 - 12:00 a.m.

Heap overflow in Snort "stream4" preprocessor

2003-04-1600:00:00

www.kb.cert.org

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.36 Low

EPSS

Percentile

97.1%

JSON

Overview

The Snort “stream4” preprocessor module contains a vulnerability that allows remote attackers to execute arbitrary code with the privileges of the user running Snort, typically root.

Description

Researchers at CORE Security Technologies have discovered a remotely exploitable heap overflow in the Snort “stream4” preprocessor module. This module allows Snort to reassemble TCP packet fragments for further analysis.

To exploit this vulnerability, an attacker must disrupt the state tracking mechanism of the preprocessor module by sending a series of packets with crafted sequence numbers. This causes the module to bypass a check for buffer overflow attempts and allows the attacker to insert arbitrary code into the heap.

For further information, please read the Core Security Technologies Advisory located at

http://www.coresecurity.com/common/showdoc.php?idx=313&idxseccion=10

This vulnerability affects Snort versions 1.8.x, 1.9.x, and 2.0 prior to RC1.

Impact

This vulnerability allows remote attackers to execute arbitrary code with the privileges of the user running Snort, typically root. Please note that it is not necessary for the attacker to know the IP address of the Snort device they wish to attack; merely sending malicious traffic where it can be observed by an affected Snort sensor is sufficient to exploit these vulnerabilities.

Solution

Upgrade to Snort 2.0

This vulnerability is addressed in Snort version 2.0, which is available at

http://www.snort.org/dl/snort-2.0.0.tar.gz

Binary-only versions of Snort are available from

http://www.snort.org/dl/binaries

Disable the “stream4” preprocessor module

Sites that are unable to immediately upgrade affected Snort sensors may prevent exploitation of this vulnerability by commenting out the affected preprocessor module in the “snort.conf” configuration file. To do this, comment out the following line:

preprocessor stream4_reassemble

After commenting out the affected module, send a SIGHUP signal to the affected Snort process to update the configuration. Note that disabling this module may have adverse effects on a sensor’s ability to correctly process TCP packet fragments. In particular, disabling this module will prevent the Snort sensor from detecting a variety of IDS evasion attacks.

Block outbound packets from Snort IDS systems

You may be able limit an attacker’s capabilities if the system is compromised by blocking all outbound traffic from the Snort sensor. While this workaround will not prevent exploitation of the vulnerability, it may make it more difficult for the attacker to create a useful exploit.

Vendor Information

139129

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Debian __ Affected

Notified: April 16, 2003 Updated: May 19, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

`- --------------------------------------------------------------------------
Debian Security Advisory DSA 297-1 [email protected]
<http://www.debian.org/security/> Martin Schulze
May 1st, 2003 <http://www.debian.org/security/faq>

Package : snort
Vulnerability : integer overflow, buffer overflow
Problem-Type : remote
Debian-specific: no
CVE Ids : CAN-2003-0033 CAN-2003-0209
CERT advisories: VU#139129 VU#916785
Bugtraq Ids : 7178 6963
Two vulnerabilities have been discoverd in Snort, a popular network
intrusion detection system. Snort comes with modules and plugins that
perform a variety of functions such as protocol analysis. The
following issues have been identified:
Heap overflow in Snort “stream4” preprocessor
(VU#139129, CAN-2003-0209, Bugtraq Id 7178)`

Researchers at CORE Security Technologies have discovered a remotely exploitable inteter overflow that results in overwriting the heap in the "stream4" preprocessor module. This module allows Snort to reassemble TCP packet fragments for further analysis. An attacker could insert arbitrary code that would be executed as the user running Snort, probably root.

Buffer overflow in Snort RPC preprocessor (VU#916785, CAN-2003-0033, Bugtraq Id 6963)

Researchers at Internet Security Systems X-Force have discovered a remotely exploitable buffer overflow in the Snort RPC preprocessor module. Snort incorrectly checks the lengths of what is being normalized against the current packet size. An attacker could exploit this to execute arbitrary code under the privileges of the Snort process, probably root.

For the stable distribution (woody) these problems have been fixed in version 1.8.4beta1-3.1.
The old stable distribution (potato) is not affected by these problems since it doesn't contain the problematic code.
For the unstable distribution (sid) these problems have been fixed in version 2.0.0-1.
We recommend that you upgrade your snort package immediately.
You are also advised to upgrade to the most recent version of Snort, since Snort, as any intrusion detection system, is rather useless if it is based on old and out-dated data and not kept up to date. Such installations would be unable to detect intrusions using modern methods. The current version of Snort is 2.0.0, while the version in the stable distribution (1.8) is quite old and the one in the old stable distribution is beyond hope.
Since Debian does not update arbitrary packages in stable releases, even Snort is not going to see updates other than to fix security problems, you are advised to upgrade to the most recent version from third party sources.
The Debian maintainer for Snort provides backported up-to-date packages for woody (stable) and potato (oldstable) for cases where you cannot upgrade your entire system. These packages are untested, though and only exist for the i386 architecture:
deb <http://people.debian.org/~ssmeenk/snort-stable-i386/> ./ deb-src <http://people.debian.org/~ssmeenk/snort-stable-i386/> ./
deb <http://people.debian.org/~ssmeenk/snort-oldstable-i386/> ./ deb-src <http://people.debian.org/~ssmeenk/snort-oldstable-i386/> ./

`Upgrade Instructions

wget url
will fetch the file for you dpkg -i file.deb
will install the referenced file.`

If you are using the apt-get package manager, use the line for sources.list as given below:
apt-get update will update the internal database
apt-get upgrade will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

`Debian GNU/Linux 3.0 alias woody

Source archives:
<http://security.debian.org/pool/updates/main/s/snort/snort_1.8.4beta1-3.1.dsc>
Size/MD5 checksum: 681 2186ab4fe2efad905f07fb9522f04597 <http://security.debian.org/pool/updates/main/s/snort/snort_1.8.4beta1-3.1.diff.gz>
Size/MD5 checksum: 67265 1f8ea5bc8a842626a30a2fb693398a16 <http://security.debian.org/pool/updates/main/s/snort/snort_1.8.4beta1.orig.tar.gz>
Size/MD5 checksum: 1718574 80201d9c4e33af5e0b56121e4f9f7f7b`

Architecture independent components:
<http://security.debian.org/pool/updates/main/s/snort/snort-doc_1.8.4beta1-3.1_all.deb> Size/MD5 checksum: 344358 5d15c2a2ffc2e085a4dacfc8226ba336
<http://security.debian.org/pool/updates/main/s/snort/snort-rules-default_1.8.4beta1-3.1_all.deb> Size/MD5 checksum: 59674 76c3416b6a5e97c4b82e984255ee62a6

Alpha architecture:
<http://security.debian.org/pool/updates/main/s/snort/snort_1.8.4beta1-3.1_alpha.deb> Size/MD5 checksum: 218862 e289d2ac6a97c3c729575af2608d62da
<http://security.debian.org/pool/updates/main/s/snort/snort-common_1.8.4beta1-3.1_alpha.deb> Size/MD5 checksum: 35798 7d1a116fc1c00006914e48019ba68a4b
<http://security.debian.org/pool/updates/main/s/snort/snort-mysql_1.8.4beta1-3.1_alpha.deb> Size/MD5 checksum: 222492 589db8d591013c098a4d51981464b21e

ARM architecture:
<http://security.debian.org/pool/updates/main/s/snort/snort_1.8.4beta1-3.1_arm.deb> Size/MD5 checksum: 178156 f37eb2c6b75176be30aaae92cfd699ea
<http://security.debian.org/pool/updates/main/s/snort/snort-common_1.8.4beta1-3.1_arm.deb> Size/MD5 checksum: 35820 4977d033364e56ec0d66266918b5ddfb
<http://security.debian.org/pool/updates/main/s/snort/snort-mysql_1.8.4beta1-3.1_arm.deb> Size/MD5 checksum: 181128 d7d40fc33fd3e51b54e4293ed7617c70

Intel IA-32 architecture:
<http://security.debian.org/pool/updates/main/s/snort/snort_1.8.4beta1-3.1_i386.deb> Size/MD5 checksum: 162048 f26f7562fae5f8761834d4cabe3ed17c
<http://security.debian.org/pool/updates/main/s/snort/snort-common_1.8.4beta1-3.1_i386.deb> Size/MD5 checksum: 35802 548afa7fde8557dcd40bf235f38074dc
<http://security.debian.org/pool/updates/main/s/snort/snort-mysql_1.8.4beta1-3.1_i386.deb> Size/MD5 checksum: 165354 911fd22a147390c8cf5d4694b4e2b18b

Intel IA-64 architecture:
<http://security.debian.org/pool/updates/main/s/snort/snort_1.8.4beta1-3.1_ia64.deb> Size/MD5 checksum: 271778 12be6ab4ac58909148a8c9625ebefb99
<http://security.debian.org/pool/updates/main/s/snort/snort-common_1.8.4beta1-3.1_ia64.deb> Size/MD5 checksum: 35798 57f0772e114cc1130c5c2639fc64be71
<http://security.debian.org/pool/updates/main/s/snort/snort-mysql_1.8.4beta1-3.1_ia64.deb> Size/MD5 checksum: 275284 a8489c8f41fa49d532c0afa67928ee61

HP Precision architecture:
<http://security.debian.org/pool/updates/main/s/snort/snort_1.8.4beta1-3.1_hppa.deb> Size/MD5 checksum: 201916 91c8ee56127b14c92736d7d418bc05ca
<http://security.debian.org/pool/updates/main/s/snort/snort-common_1.8.4beta1-3.1_hppa.deb> Size/MD5 checksum: 35816 a5718f767ebc93178eb820dc5a190579
<http://security.debian.org/pool/updates/main/s/snort/snort-mysql_1.8.4beta1-3.1_hppa.deb> Size/MD5 checksum: 205334 00eb158e0b034dbb6e16e42223f5855b

Motorola 680x0 architecture:
<http://security.debian.org/pool/updates/main/s/snort/snort_1.8.4beta1-3.1_m68k.deb> Size/MD5 checksum: 150320 3c205732845c14274bd9d8520f8ba806
<http://security.debian.org/pool/updates/main/s/snort/snort-common_1.8.4beta1-3.1_m68k.deb> Size/MD5 checksum: 35850 3b8e1da42a9c796a0ecf74f1e7ca2ac1
<http://security.debian.org/pool/updates/main/s/snort/snort-mysql_1.8.4beta1-3.1_m68k.deb> Size/MD5 checksum: 153552 f97f6f155c93f042f01a9f2e40aff91d

Big endian MIPS architecture:
<http://security.debian.org/pool/updates/main/s/snort/snort_1.8.4beta1-3.1_mips.deb> Size/MD5 checksum: 198172 75e4fef830c00e952f05cf4139bc264f
<http://security.debian.org/pool/updates/main/s/snort/snort-common_1.8.4beta1-3.1_mips.deb> Size/MD5 checksum: 35822 aadad43bcef00f74acc754302e3557fc
<http://security.debian.org/pool/updates/main/s/snort/snort-mysql_1.8.4beta1-3.1_mips.deb> Size/MD5 checksum: 201404 9fa10daa290890849df6762b66825024

Little endian MIPS architecture:
<http://security.debian.org/pool/updates/main/s/snort/snort_1.8.4beta1-3.1_mipsel.deb> Size/MD5 checksum: 199732 040b188aeb253aa4ec4a6903c3f6f792
<http://security.debian.org/pool/updates/main/s/snort/snort-common_1.8.4beta1-3.1_mipsel.deb> Size/MD5 checksum: 35818 467f455bb8b2c59630470417673e9856
<http://security.debian.org/pool/updates/main/s/snort/snort-mysql_1.8.4beta1-3.1_mipsel.deb> Size/MD5 checksum: 202972 755df8c2d9b7e2bc01fec9a0b2259f4d

PowerPC architecture:
<http://security.debian.org/pool/updates/main/s/snort/snort_1.8.4beta1-3.1_powerpc.deb> Size/MD5 checksum: 174508 3b5d1ebec2d40949e49746b4365c0a81
<http://security.debian.org/pool/updates/main/s/snort/snort-common_1.8.4beta1-3.1_powerpc.deb> Size/MD5 checksum: 35804 60575d5c1998634b6bb3d2a9696f95c6
<http://security.debian.org/pool/updates/main/s/snort/snort-mysql_1.8.4beta1-3.1_powerpc.deb> Size/MD5 checksum: 177562 c8cdeaab4e7c41c01a435933103fe6dd

IBM S/390 architecture:
<http://security.debian.org/pool/updates/main/s/snort/snort_1.8.4beta1-3.1_s390.deb> Size/MD5 checksum: 173002 ff71b2925e1020c278d7d33eed8f8e6d
<http://security.debian.org/pool/updates/main/s/snort/snort-common_1.8.4beta1-3.1_s390.deb> Size/MD5 checksum: 35794 5207eb80204af25cdbd77dca4b6cc09e
<http://security.debian.org/pool/updates/main/s/snort/snort-mysql_1.8.4beta1-3.1_s390.deb> Size/MD5 checksum: 176296 2cc04f18ee550e4595e1680b43c2bf3e

Sun Sparc architecture:
<http://security.debian.org/pool/updates/main/s/snort/snort_1.8.4beta1-3.1_sparc.deb> Size/MD5 checksum: 176202 6f1325e6c45e06d3f769b18a9ce98274
<http://security.debian.org/pool/updates/main/s/snort/snort-common_1.8.4beta1-3.1_sparc.deb> Size/MD5 checksum: 35806 91ada09e5b9386b803184417ecbd953c
<http://security.debian.org/pool/updates/main/s/snort/snort-mysql_1.8.4beta1-3.1_sparc.deb> Size/MD5 checksum: 179444 deb6b8580ef04cabecfec3972f4519dd

These files will probably be moved into the stable distribution on its next revision.

- --------------------------------------------------------------------------------- For apt-get: deb <http://security.debian.org/> stable/updates main For dpkg-ftp: <ftp://security.debian.org/debian-security> dists/stable/updates/main Mailing list: [email protected] Package info: apt-cache show <pkg>’ and <http://packages.debian.org/><pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+sR1ZW5ql+IAeqTIRApAdAKC1eQYjEpX7v5t4fdBeDh7CK5y6awCfdUpd
YqHF6Rz3zXbDFPWbU5uuPac=
=EfYw
-----END PGP SIGNATURE-----
`

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23139129 Feedback>).

Gentoo Linux __ Affected

Notified: April 22, 2003 Updated: May 19, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

`- - - ---------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200304-06

PACKAGE : snort
SUMMARY : Multiple Vulnerabilities in Snort Preprocessors DATE : 2003-04-28 07:07 UTC
EXPLOIT : remote VERSIONS AFFECTED : <snort-2.0.0
FIXED VERSION : >=snort-2.0.0 CVE : CAN-2003-0209 CAN-2003-0033
- - - ---------------------------------------------------------------------
New (and correct) ID and updated CVE link.
- - From advisories:
“The Sourcefire Vulnerability Research Team has learned of an integer overflow
in the Snort stream4 preprocessor used by the Sourcefire Network Sensor
product line. The Snort stream4 preprocessor (spp_stream4) incorrectly
calculates segment size parameters during stream reassembly for certain
sequence number ranges which can lead to an integer overflow that can be
expanded to a heap overflow.
The Snort stream4 flaw may lead to a denial of service (DoS) attack or
remote command execution on a host running Snort. This attack can be launched
by crafting TCP stream packets and transmitting them over a network segment
that is being monitored by a vulnerable Snort implementation. In its
default configuration, certain versions of snort are vulnerable to this
attack, as is the default configuration of the Snort IDS.”
“Remote attackers may exploit the buffer overflow condition to run
arbitrary code on a Snort sensor with the privileges of the Snort IDS
process, which typically runs as the superuser. The vulnerable
preprocessor is enabled by default. It is not necessary to establish an
actual connection to a RPC portmapper service to exploit this
vulnerability.”
Read the full advisories at:
http://www.coresecurity.com/common/showdoc.php?idx=313&idxseccion=10
<http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21951>
<http://www.snort.org/advisories/snort-2003-04-16-1.txt>
SOLUTION
It is recommended that all Gentoo Linux users who are running
net-analyzer/snort upgrade to snort-2.0.0 as follows:
emerge sync
emerge snort
emerge clean
- - - ---------------------------------------------------------------------
[email protected] - GnuPG key is available at <http://cvs.gentoo.org/~aliz>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+rNNLfT7nyhUpoZMRAk3cAJ41kN/5iZoa3IOtmoTwP+E7JRZZdACdFiE6
c8JLrnnQbuVE2ASytyK0N48=
=V4iq
-----END PGP SIGNATURE-----`

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23139129 Feedback>).

Guardian Digital Inc. __ Affected

Notified: April 16, 2003 Updated: May 19, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

+------------------------------------------------------------------------+ | Guardian Digital Security Advisory April 30, 2003 | | <http://www.guardiandigital.com> ESA-20030430-013 | | | | Package: snort | | Summary: stream4 preprocessor integer overflow vulnerability | +------------------------------------------------------------------------+
EnGarde Secure Linux is an enterprise class Linux platform engineered to enable corporations to quickly and cost-effectively build a complete and secure Internet presence while preventing Internet threats.

`OVERVIEW

-------- There is an integer overflow vulnerability in the stream4 preprocessor
of the Snort IDS system.`

Guardian Digital products affected by this issue include:
EnGarde Secure Community v1.0.1 EnGarde Secure Community 2 EnGarde Secure Professional v1.1 EnGarde Secure Professional v1.2 EnGarde Secure Professional v1.5

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0209 to this issue.

It is recommended that all users apply this update as soon as possible.
`SOLUTION

-------- Guardian Digital Secure Network subscribers may automatically update
affected systems by accessing their account from within the Guardian
Digital WebTool.`

To modify your GDSN account and contact preferences, please go to:
<https://www.guardiandigital.com/account/>
Below are MD5 sums for the updated EnGarde Secure Linux 1.0.1 packages:
SRPMS/snort-2.0.0-1.0.10.src.rpm MD5 Sum: e4dea6592038fa6e487607c1d1adbba4

i386/snort-2.0.0-1.0.10.i386.rpm MD5 Sum: e530e2b93853e1082dec8de4f494e95a

i686/snort-2.0.0-1.0.10.i686.rpm MD5 Sum: 3d0770923eedd9d28484984e13a23260

`REFERENCES

---------- Guardian Digital’s public key:
<http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY>`

Snort's Official Web Site: <http://www.snort.org/>

Guardian Digital Advisories: <http://infocenter.guardiandigital.com/advisories/>

Security Contact: [email protected]
- -------------------------------------------------------------------------- Author: Ryan W. Maple <[email protected]> Copyright 2003, Guardian Digital, Inc.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see <http://www.gnupg.org>
iD8DBQE+sAc2HD5cqd57fu0RAuO6AJ4goWYfOXpM+04wblcHcJ8xQsKe3gCcCmaB 6+6LpMQDs0jKX5xSbtXEyMI= =Froi -----END PGP SIGNATURE-----

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23139129 Feedback>).

MandrakeSoft __ Affected

Notified: April 16, 2003 Updated: May 19, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

________________________________________________________________________
`Mandrake Linux Security Update Advisory

Package name: snort
Advisory ID: MDKSA-2003:052
Date: April 28th, 2003
Affected versions:8.2, 9.0, 9.1, Corporate Server 2.1,
Multi Network Firewall 8.2 ________________________________________________________________________
Problem Description:
An integer overflow was discovered in the Snort stream4 preprocessor
by the Sourcefire Vulnerability Research Team. This preprocessor
(spp_stream4) incorrectly calculates segment size parameters during
stream reassembly for certainm sequence number ranges. This can
lead to an integer overflow that can in turn lead to a heap overflow
that can be exploited to perform a denial of service (DoS) or even
remote command excution on the host running Snort.`

Disabling the stream4 preprocessor will make Snort invulnerable to this attack, and the flaw has been fixed upstream in Snort version 2.0. Snort versions 1.8 through 1.9.1 are vulnerable.
________________________________________________________________________
References:
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0209> <http://www.snort.org/advisories/snort-2003-04-16-1.txt>
________________________________________________________________________
Updated Packages:
Corporate Server 2.1: 97c817bc7ddb5e1a89f4479668cf59f0 corporate/2.1/RPMS/snort-2.0.0-2.1mdk.i586.rpm ca9dec4bc5ba46f80a0724f6e0f5a138 corporate/2.1/RPMS/snort-bloat-2.0.0-2.1mdk.i586.rpm 0262bcb71eea556cbee8c421e4ad1511 corporate/2.1/RPMS/snort-mysql+flexresp-2.0.0-2.1mdk.i586.rpm 8dd41f46553707dc3adc6a82855df2ba corporate/2.1/RPMS/snort-mysql-2.0.0-2.1mdk.i586.rpm 46ad883dad9f77ce6d978171eb03de67 corporate/2.1/RPMS/snort-plain+flexresp-2.0.0-2.1mdk.i586.rpm 3dd354f0c849c9765451b51fa93a0b4e corporate/2.1/RPMS/snort-postgresql+flexresp-2.0.0-2.1mdk.i586.rpm 8735c537e40937a7b3ae3f3c38d55162 corporate/2.1/RPMS/snort-postgresql-2.0.0-2.1mdk.i586.rpm 73a866acec5d6e1abdde902d0d893968 corporate/2.1/RPMS/snort-snmp+flexresp-2.0.0-2.1mdk.i586.rpm cc0a606a5409213934b0c06fe2d44433 corporate/2.1/RPMS/snort-snmp-2.0.0-2.1mdk.i586.rpm 2efb9950c70248f94b561f76bef88181 corporate/2.1/SRPMS/snort-2.0.0-2.1mdk.src.rpm

Mandrake Linux 8.2: a4514c067f2409606fe7706a35d8f3f7 8.2/RPMS/snort-2.0.0-2.1mdk.i586.rpm 5c2f61da6ce991e630a23dffbeee2814 8.2/RPMS/snort-bloat-2.0.0-2.1mdk.i586.rpm 242237fafcc77f29b9b6cdc71db27cdc 8.2/RPMS/snort-mysql+flexresp-2.0.0-2.1mdk.i586.rpm 75a9dc76a726e93e1876c35d7eafa543 8.2/RPMS/snort-mysql-2.0.0-2.1mdk.i586.rpm 9230a8bf2966eda057b4903edb2e6e8c 8.2/RPMS/snort-plain+flexresp-2.0.0-2.1mdk.i586.rpm 08efb60f8fa7f117903f3267e92c1937 8.2/RPMS/snort-postgresql+flexresp-2.0.0-2.1mdk.i586.rpm a993826c9b4a74cfde1a36f3b209c3a9 8.2/RPMS/snort-postgresql-2.0.0-2.1mdk.i586.rpm 9700de212e797fb49d59859bd0faeef8 8.2/RPMS/snort-snmp+flexresp-2.0.0-2.1mdk.i586.rpm 781cafab6d9ca1e7de0d53a9f0a6ad20 8.2/RPMS/snort-snmp-2.0.0-2.1mdk.i586.rpm 2efb9950c70248f94b561f76bef88181 8.2/SRPMS/snort-2.0.0-2.1mdk.src.rpm

Mandrake Linux 8.2/PPC: 2961264210fb026e70c76bc20db4a109 ppc/8.2/RPMS/snort-2.0.0-2.1mdk.ppc.rpm 4efd69038a64483af014ed3da0bda40e ppc/8.2/RPMS/snort-bloat-2.0.0-2.1mdk.ppc.rpm 1618da9f7f393f384f2fa3620d5756ab ppc/8.2/RPMS/snort-mysql+flexresp-2.0.0-2.1mdk.ppc.rpm 26772c8ca76f47d33d75a2bae9c4b030 ppc/8.2/RPMS/snort-mysql-2.0.0-2.1mdk.ppc.rpm 1954dd955a26e4fafe053e1ed418fe7f ppc/8.2/RPMS/snort-plain+flexresp-2.0.0-2.1mdk.ppc.rpm 84f600f2013d88faecc4a19613a16cf2 ppc/8.2/RPMS/snort-postgresql+flexresp-2.0.0-2.1mdk.ppc.rpm a32214c7f3ab03681956054f61d4071f ppc/8.2/RPMS/snort-postgresql-2.0.0-2.1mdk.ppc.rpm 76b030fb690c654ff008ee0d2bfdee95 ppc/8.2/RPMS/snort-snmp+flexresp-2.0.0-2.1mdk.ppc.rpm d365692eb1fd386fb9f1fb4b87973f2a ppc/8.2/RPMS/snort-snmp-2.0.0-2.1mdk.ppc.rpm 2efb9950c70248f94b561f76bef88181 ppc/8.2/SRPMS/snort-2.0.0-2.1mdk.src.rpm

Mandrake Linux 9.0: 97c817bc7ddb5e1a89f4479668cf59f0 9.0/RPMS/snort-2.0.0-2.1mdk.i586.rpm ca9dec4bc5ba46f80a0724f6e0f5a138 9.0/RPMS/snort-bloat-2.0.0-2.1mdk.i586.rpm 0262bcb71eea556cbee8c421e4ad1511 9.0/RPMS/snort-mysql+flexresp-2.0.0-2.1mdk.i586.rpm 8dd41f46553707dc3adc6a82855df2ba 9.0/RPMS/snort-mysql-2.0.0-2.1mdk.i586.rpm 46ad883dad9f77ce6d978171eb03de67 9.0/RPMS/snort-plain+flexresp-2.0.0-2.1mdk.i586.rpm 3dd354f0c849c9765451b51fa93a0b4e 9.0/RPMS/snort-postgresql+flexresp-2.0.0-2.1mdk.i586.rpm 8735c537e40937a7b3ae3f3c38d55162 9.0/RPMS/snort-postgresql-2.0.0-2.1mdk.i586.rpm 73a866acec5d6e1abdde902d0d893968 9.0/RPMS/snort-snmp+flexresp-2.0.0-2.1mdk.i586.rpm cc0a606a5409213934b0c06fe2d44433 9.0/RPMS/snort-snmp-2.0.0-2.1mdk.i586.rpm 2efb9950c70248f94b561f76bef88181 9.0/SRPMS/snort-2.0.0-2.1mdk.src.rpm

Mandrake Linux 9.1: 3436f5a3ec275a9e8d38b32a3e885b20 9.1/RPMS/snort-2.0.0-2.1mdk.i586.rpm c63d4e80b2b69dc8469a401d62e65de2 9.1/RPMS/snort-bloat-2.0.0-2.1mdk.i586.rpm 0e12b7b79706198f6351c1d55d6c29a6 9.1/RPMS/snort-mysql+flexresp-2.0.0-2.1mdk.i586.rpm 501bbbcfb86e0dbc5a1450f97d5df972 9.1/RPMS/snort-mysql-2.0.0-2.1mdk.i586.rpm b4151478633c30590a605e8fe110852e 9.1/RPMS/snort-plain+flexresp-2.0.0-2.1mdk.i586.rpm 7f58e498e92d7b32bfa6c4b7a85c36c1 9.1/RPMS/snort-postgresql+flexresp-2.0.0-2.1mdk.i586.rpm b576a20571664d450504b3a51aae0417 9.1/RPMS/snort-postgresql-2.0.0-2.1mdk.i586.rpm 76cb1fc010b384ef5ba0c236d85ce6e5 9.1/RPMS/snort-snmp+flexresp-2.0.0-2.1mdk.i586.rpm fca545c28a94eaabc6f10d7528d0e82c 9.1/RPMS/snort-snmp-2.0.0-2.1mdk.i586.rpm 2efb9950c70248f94b561f76bef88181 9.1/SRPMS/snort-2.0.0-2.1mdk.src.rpm

Mandrake Linux 9.1/PPC: 6fedffede24c0334a8eeb858a826482f ppc/9.1/RPMS/snort-2.0.0-2.1mdk.ppc.rpm 753051524999ae9f082e124bfc949ec2 ppc/9.1/RPMS/snort-bloat-2.0.0-2.1mdk.ppc.rpm 905246e8240c13006760bbd56c0fbe9b ppc/9.1/RPMS/snort-mysql+flexresp-2.0.0-2.1mdk.ppc.rpm b8adb28a28341780014339e9cd1f4b8a ppc/9.1/RPMS/snort-mysql-2.0.0-2.1mdk.ppc.rpm d1537b80ce0d15e290d129edf9b6f02e ppc/9.1/RPMS/snort-plain+flexresp-2.0.0-2.1mdk.ppc.rpm 16b0bbbc4729f8fdaf7d0554b45cd0e5 ppc/9.1/RPMS/snort-postgresql+flexresp-2.0.0-2.1mdk.ppc.rpm 972676cf613c1d1313a6bf68d7f9f0d6 ppc/9.1/RPMS/snort-postgresql-2.0.0-2.1mdk.ppc.rpm 7c79443a574b81db3345bac3c11c2f16 ppc/9.1/RPMS/snort-snmp+flexresp-2.0.0-2.1mdk.ppc.rpm 4df4eef406078666a682a01935975678 ppc/9.1/RPMS/snort-snmp-2.0.0-2.1mdk.ppc.rpm 2efb9950c70248f94b561f76bef88181 ppc/9.1/SRPMS/snort-2.0.0-2.1mdk.src.rpm

Multi Network Firewall 8.2: a4514c067f2409606fe7706a35d8f3f7 mnf8.2/RPMS/snort-2.0.0-2.1mdk.i586.rpm 2efb9950c70248f94b561f76bef88181 mnf8.2/SRPMS/snort-2.0.0-2.1mdk.src.rpm
________________________________________________________________________
`Bug IDs fixed (see <https://qa.mandrakesoft.com> for more information):

To upgrade automatically, use MandrakeUpdate. The verification of md5
checksums and GPG signatures is performed automatically for you.
If you want to upgrade manually, download the updated package from one
of our FTP server mirrors and upgrade with “rpm -Fvh *.rpm”. A list of
FTP mirrors can be obtained from:
<http://www.mandrakesecure.net/en/ftp.php>
Please verify the update prior to upgrading to ensure the integrity of
the downloaded package. You can do this with the command:
rpm --checksig <filename>
All packages are signed by MandrakeSoft for security. You can obtain
the GPG public key of the Mandrake Linux Security Team from:
<https://www.mandrakesecure.net/RPM-GPG-KEYS>
Please be aware that sometimes it takes the mirrors a few hours to
update.
You can view other update advisories for Mandrake Linux at:
<http://www.mandrakesecure.net/en/advisories/>
MandrakeSoft has several security-related mailing list services that
anyone can subscribe to. Information on these lists can be obtained by
visiting:
<http://www.mandrakesecure.net/en/mlist.php>
If you want to report vulnerabilities, please contact
security_linux-mandrake.com
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team <security linux-mandrake.com>
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.7 (GNU/Linux)
mQGiBDlp594RBAC2tDozI3ZgQsE7XwxurJCJrX0L5vx7SDByR5GHDdWekGhdiday
L4nfUax+SeR9SCoCgTgPW1xB8vtQc8/sinJlMjp9197a2iKM0FOcPlkpa3HcOdt7
WKJqQhlMrHvRcsivzcgqjH44GBBJIT6sygUF8k0lU6YnMHj5MPc/NGWt8wCg9vKo
P0l5QVAFSsHtqcU9W8cc7wMEAJzQsAlnvPXDBfBLEH6u7ptWFdp0GvbSuG2wRaPl
hynHvRiE01ZvwbJZXsPsKm1z7uVoW+NknKLunWKB5axrNXDHxCYJBzY3jTeFjsqx
PFZkIEAQphLTkeXXelAjQ5u9tEshPswEtMvJvUgNiAfbzHfPYmq8D6x5xOw1IySg
2e/LBACxr2UJYCCB2BZ3p508mAB0RpuLGukq+7UWiOizy+kSskIBg2O7sQkVY/Cs
iyGEo4XvXqZFMY39RBdfm2GY+WB/5NFiTOYJRKjfprP6K1YbtsmctsX8dG+foKsD
LLFs7OuVfaydLQYp1iiN6D+LJDSMPM8/LCWzZsgr9EKJ8NXiyrQ6TGludXggTWFu
ZHJha2UgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlAbGludXgtbWFuZHJha2UuY29t
PohWBBMRAgAWBQI5aefeBAsKBAMDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmK6LAKCy
/NInDsaMSI+WHwrquwC5PZrcnQCeI+v3gUDsNfQfiKBvQSANu1hdulqIRgQQEQIA
BgUCOtNVGQAKCRBZ5w3um0pAJJWQAKDUoL5He+mKbfrMaTuyU5lmRyJ0fwCgoFAP
WdvQlu/kFjphF740XeOwtOqIRgQQEQIABgUCOu8A6QAKCRBynDnb9lq3CnpjAJ4w
Pk0SEE9U4r40IxWpwLU+wrWVugCdFfSPllPpZRCiaC7HwbFcfExRmPaIRgQQEQIA
BgUCPI+UAwAKCRDniYrgcHcf8xK5AKCm/Mq8qP8GE0o1hEX22QsJMZwH5gCfZ72H
8TacOb3oAmBdprf+K6gkdOiIRgQQEQIABgUCOtOieAAKCRCv2bZyU0yB80MeAJ9K
+jXt0cKuaUonRU+CRGetk6t9dgCfTRRL6/puOKdD6md70+K5EBBSvsG0OE1hbmRy
YWtlIExpbnV4IFNlY3VyaXR5IFRlYW0gPHNlY3VyaXR5QG1hbmRyYWtlc29mdC5j
b20+iFcEExECABcFAjyPnuUFCwcKAwQDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmFi+
AJsHhohgnU3ik4+gy3EdFlB2i/MBoACg6lHn5cnVvTcmgNccWxeNxLLZI5e5AQ0E
OWnn7xAEAOQlTVY4TiNo5V/iP0J1xnqjqlqZsU7yEBKo/gZz6/+hx75RURe1ebiJ
9F779FQbpJ9Epz1KLSXvq974rnVb813zuGdmgFyk+ryA/rTR2RQ8h+EoNkwmATzR
xBXVJb57fFQjxOu4eNjZAtfII/YXb0uyXXrdr5dlJ/3eXrcO4p0XAAMFBACCxo6Z
269s+A4v8C6Ui12aarOQcCDlV8cVG9LkyatU3FNTlnasqwo6EkaP572448weJWwN
6SCXVl+xOYLiK0hL/6Jb/O9Agw75yUVdk+RMM2I4fNEi+y4hmfMh2siBv8yEkEvZ
jTcl3TpkTfzYky85tu433wmKaLFOv0WjBFSikohGBBgRAgAGBQI5aefvAAoJEJqo
0NAiRYqYid0AoJgeWzXrEdIClBOSW5Q6FzqJJyaqAKC0Y9YI3UFlE4zSIGjcFlLJ
EJGXlA==
=yGlX

-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE+rc7gmqjQ0CJFipgRAiufAJ0Wa5bQdmAunHSUUw+z2CYm4vAUbACcCJfl
2WSQOdFu39Whu+U8sPBFXtE=
=py2r
-----END PGP SIGNATURE-----`

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23139129 Feedback>).

SmoothWall __ Affected

Notified: April 17, 2003 Updated: April 21, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The SmoothWall firewall is affected by this vulnerability; for more information, please see

<http://www.smoothwall.org/beta/bugs/mallard-006.html>

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23139129 Feedback>).

Snort __ Affected

Notified: April 16, 2003 Updated: April 17, 2003

Status

Affected

Vendor Statement

`-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Snort™ Advisory: Integer Overflow in Stream4

Date: April 16, 2003

Affected Versions:
All versions of the following products are affected:

Snort 1.8 through 1.9.1
Snort CVS - current branch up to version 2.0.0 beta

Synopsis:
The Sourcefire Vulnerability Research Team has learned of an integer overflow
in the Snort stream4 preprocessor used by the Sourcefire Network Sensor
product line. The Snort stream4 preprocessor (spp_stream4) incorrectly
calculates segment size parameters during stream reassembly for certain
sequence number ranges which can lead to an integer overflow that can be
expanded to a heap overflow.

The Snort stream4 flaw may lead to a denial of service (DoS) attack or
remote command execution on a host running Snort. This attack can be launched
by crafting TCP stream packets and transmitting them over a network segment
that is being monitored by a vulnerable Snort implementation. In its
default configuration, certain versions of snort are vulnerable to this
attack, as is the default configuration of the Snort IDS.

Disabling the stream4 preprocessor will make the snort invulnerable to the
attack.

To disable the stream4 preprocessor, edit snort.conf and replace any lines
that begin with “preprocessor stream4” with “# preprocessor stream4”

NOTE: Disabling the stream4 preprocessor disables stateful inspection and
stream reassembly and could allow someone to evade snort using tcp stream
segmentation attacks.

Patches:

Snort 2.0 has been released and corrects this vulnerability.

© 2003 Sourcefire, Inc. All rights reserved.
Sourcefire and Snort are trademarks or registered trademarks of Sourcefire, INC.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+nadjavJ5BgQ0p28RAi8FAKCviv78UU8V2k+smfZU875Lcrhb9gCfQIXK
CuzzM4EKTvbvkvo+wL47YYM=
=u1yD
-----END PGP SIGNATURE-----
`

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Snort has released version 2.0 to address this vulnerability. This version is available at

http://www.snort.org/dl/snort-2.0.0.tar.gz

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23139129 Feedback>).

Apple Computer Inc. __ Not Affected

Notified: April 16, 2003 Updated: April 17, 2003

Status

Not Affected

Vendor Statement

Snort is not shipped with Mac OS X or Mac OS X Server.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23139129 Feedback>).

Conectiva __ Not Affected

Notified: April 16, 2003 Updated: May 19, 2003

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

`- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT

PACKAGE : snort
SUMMARY : Vulnerability in the stream4 preprocessor
DATE : 2003-05-06 21:44:00
ID : CLA-2003:642
RELEVANT
RELEASES : 8, 9
- -------------------------------------------------------------------------
DESCRIPTION
Snort is an Open Source Network Intrusion Detection System (NIDS).`

Core Security has discovered[1] a remotely exploitable integer overflow vulnerability in Snort. It resides in the stream4 preprocessor, which is responsible for normalizing TCP traffic before its analysis by the rules processor.

A remote attacker able to insert specially crafted TCP traffic in the network being monitored by snort may crash the sensor or execute arbitrary code in its context, which is run by the root user.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2003-0209 to this issue[2].

Since the stream4 preprocessor is present only in snort versions >= 1.8, users of Conectiva Linux versions 6.0 and 7.0 are not vulnerable to this attack.

Additionally, a preventive fix for a possible problem with the use of the memcpy() function in the frag2 preprocessor code was added[3].

IMPORTANT: Please note that this update includes snort 1.9.1. The snort version originally distributed with Conectiva Linux 8 was 1.8.4b1 (already updated to 1.9.1 in the last snort security[4] announcement). Since several components have changed in snort 1.9.1, the old snort.conf file and the alerts database need some small changes in order to work with this new version. Instructions about how to smoothly upgrade from 1.8.4b1 are available in the package documentation and in our last snort security announcement[4], released on 04/04/2003.

SOLUTION All snort users should upgrade.

REFERENCES: 1.http://www.coresecurity.com/common/showdoc.php?idx=313&idxseccion=10 2.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0209 3.http://sourceforge.net/mailarchive/message.php?msg_id=4457321 4.http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000613

UPDATED PACKAGES <ftp://atualizacoes.conectiva.com.br/8/RPMS/snort-1.9.1-1U80_3cl.i386.rpm> <ftp://atualizacoes.conectiva.com.br/8/SRPMS/snort-1.9.1-1U80_3cl.src.rpm> <ftp://atualizacoes.conectiva.com.br/9/RPMS/snort-1.9.1-27951U90_2cl.i386.rpm> <ftp://atualizacoes.conectiva.com.br/9/SRPMS/snort-1.9.1-27951U90_2cl.src.rpm>

ADDITIONAL INSTRUCTIONS The apt tool can be used to perform RPM packages upgrades:

`- run: apt-get update

after that, execute: apt-get upgrade`

Detailed instructions reagarding the use of apt and upgrade examples can be found at <http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en>

- ------------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at <http://distro.conectiva.com.br/seguranca/chave/?idioma=en> Instructions on how to check the signatures of the RPM packages can be found at <http://distro.conectiva.com.br/seguranca/politica/?idioma=en>
- ------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at <http://distro.conectiva.com.br/atualizacoes/?idioma=en>
- ------------------------------------------------------------------------- Copyright (c) 2003 Conectiva Inc. <http://www.conectiva.com>
- ------------------------------------------------------------------------- subscribe: [email protected] unsubscribe: [email protected] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see <http://www.gnupg.org>
iD8DBQE+uFdH42jd0JmAcZARArwgAKDE+fRKY03JkA3kDE3az3gEcUm5LgCg3KLt llQNn3eE5epnkGnwvflmFL0= =1oGg -----END PGP SIGNATURE-----

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23139129 Feedback>).

Fujitsu __ Not Affected

Notified: April 16, 2003 Updated: May 19, 2003

Status

Not Affected

Vendor Statement

Fujitsu’s UXP/V o.s. is not affected by the problem in VU#139129 and [VU#]916785 because it does not support the Snort.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23139129 Feedback>).

Ingrian Networks __ Not Affected

Notified: April 16, 2003 Updated: April 17, 2003

Status

Not Affected

Vendor Statement

Ingrian Networks products are not susceptible to VU#139129 and VU#916785 since they do not use Snort.

Ingrian customers who are using the IDS Extender Service Engine to mirror cleartext data to a Snort-based IDS should upgrade their IDS software.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23139129 Feedback>).

NetBSD __ Not Affected

Notified: April 16, 2003 Updated: April 17, 2003

Status

Not Affected

Vendor Statement

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23139129 Feedback>).

View all 33 vendors __View less vendors __